There and the amount of capital that has been stolen through this flavor of cybercrime. In 2018, $875 million was stolen in six major hacks; in 2019, an additional $282 million was pilfered in 11 hacks.
So far this year, there have been six cryptocurrency exchange hacks. While the exact amount of stolen capital from all of these hacks has not yet been totalled, estimates show that the total amount of crypto stolen is somewhere between $220 and $300 million.
The largest and most recent of these hacks took place on Friday, September 26th around 19:05 UTC, when KuCoin announced that at least $150 million worth of Bitcoin and Ethereum-based ERC-20 tokens had been pilfered from the exchange’s ‘hot’ (online) wallets.
Larry Cermak, Director of Research at The Block, said that the amount stolen could be as much as $280 million.
So I did some accounting of the KuCoin hack based on the wallets very likely associated and based on my estimation, there was nearly $280 million of assets stolen, not $150M. This would make it the third-largest hack in history and 7 times larger than the Binance hack last year..
— Larry Cermak (@lawmaster)
The exchange said that users do not need to worry about losing money: “rest assured, if any user fund is affected by this incident, it will be covered completely by KuCoin and our insurance fund,” a statement declared.
However, the hack was an unfortunate reminder that although the crypto industry has come a long way when it comes to centralized exchange hacks, there is still a degree of risk involved in using them.
Centralized Exchanges Are Web Applications, and Are Therefore Vulnerable
ByBit chief executive, Ben Zhou told CoinTelegraph that as long as centralized exchanges exist, hackers will always be able to exploit them as a single point of failure.
Zhou explained that this is because essentially, centralized exchanges are web applications that are vulnerable in the same ways that all other centralized web applications are vulnerable.
And, as such, it only takes a single point of failure in order to compromise a whole system: it can only take one hacked email, one compromised employee, or one hacked account.
Case in point: remember the
Quick recap: several months ago, a 17-year-old boy in Florida managed to hack into the Twitter accounts of a number of high-profile celebrities and world leaders. He used this immense amount of stolen power to post messages inviting Bitcoin holders to send coins to addresses with the promise that their money would be doubled and returned.
(Spoiler alert: it was not.)
But how was this 17-year-old kid able to mastermind his way into these Twitter accounts (including those of Elon Musk, Barack Obama, and Joe Biden)?
Clever though he was, the hacker was not some kind of programming wiz. Rather, he allegedly convinced a Twitter employee that he worked in the Twitter IT department, and was therefore able to trick that employee into giving him the credentials.
Of course, Twitter’s security measures have since been criticized as being very poor at the time of the attack. Additionally, it is likely that reputable cryptocurrency exchanges, even those operating without being licensed by a government, have better security measures than Twitter did at the time it was hacked.
Still, the fact that centralized cryptocurrency exchanges are vulnerable to cyberattacks remains: there are simply too many points of failure.
Lack of Standards across Jurisdictions Means That Some Exchanges Are More Vulnerable Than Others
Additionally, a lack of standardized security measures on cryptocurrency exchanges from jurisdiction to jurisdiction means that entrusting funds to a centralized exchange can be a dangerous game of roulette.
For example, centralized cryptocurrency exchanges operating in jurisdictions that specifically regulate cryptocurrency exchanges are often subject to sets of requirements that ensure their safety.
, cryptocurrency exchanges must fulfill a set of requirements in order to obtain operational licenses. These requirements include things like the employment of third-party custodial services to keep custody of their users’ assets.
Furthermore, if Japan-based exchanges use ‘hot’ wallets, they are obligated to hold ‘the same kind and the same quantities of crypto assets’ in cold storage in order to repay their users should the hot wallet funds be compromised.
“…It’s Quite Odd to Me That KuCoin Is Confident They Can Cover These Amounts with the Insurance Fund.”
However, beyond these regulated jurisdictions, cryptocurrency exchanges are only good as their word.
And sometimes, the word is good enough – KuCoin, for example, said that “if any user fund is affected by this incident, it will be covered completely by KuCoin,” after it was hacked for more than $150 million earlier this week.
The Block’s Larry Cermak cast doubt on this claim on Twitter: “…it’s quite odd to me that KuCoin is confident they can cover these amounts with the insurance fund,” he said. “My opinion is that there is almost no chance this is recoverable.”
Yes, some of these tokens have been frozen, forked, and blacklisted. And the amounts above don’t reflect that. But it’s quite odd to me that KuCoin is confident they can cover these amounts with the insurance fund. My opinion is that there is almost no chance this is recoverable
— Larry Cermak (@lawmaster)
And while some jurisdictions require exchanges to keep a certain amount of money in their insurance funds at all times, it is unclear which jurisdiction is responsible for regulating KuCoin.
CoinTelegraph reported that KuCoin said in 2018 that it was headquartered in Singapore. However, KuCoin is not licensed in Singapore and did not file with the Monetary Authority of Singapore earlier this year to request a deferral of the requirement to operate without a payments license, which would have allowed the exchange to operate in Singapore through July.
Therefore, without a license or a deferral, KuCoin cannot legally operate in Singapore. It remains unclear whether KuCoin is still headquartered in Singapore or if the exchange is based elsewhere; on its website, KuCoin’s it “operates in the Seychelles.”
Still, while KuCoin’s reputation as a popular and well-kept cryptocurrency exchange, along with promises to return any stolen user funds, are enough to reassure affected users that they will, in fact, be reimbursed. Though, this is not always the case for other centralized cryptocurrency exchanges.
We all knew an exchange hack was coming. It appears as though KuCoin is going to take it on the chin and users won’t lose funds.
I trade a lot on the Ku and have more coins there than I should.
Big wake up call regardless if funds are or not.
— EllioTrades (@elliotrades)
Straddling the Line between Providing Enough Liquidity for Traders and Keeping Funds Safe
A lack of best practices enforced by standardized licensing and regulation requirements also means that cryptocurrency exchanges could be making themselves more vulnerable than was necessary in the first place.
For example, Charles Guillemet, chief technical officer of Ledger, a leading crypto security company, said in a statement shared with Finance Magnates that “it seems incredible that KuCoin would keep upwards of $150-220M in hot storage.
“This runs a high risk when it comes to governance and management of liquidity. Exchanges must encourage risk mitigation tactics like using a hardware wallet and educating users to only allocate less than 10% of their crypto assets to hot wallets.”
This highlights an important challenge that cryptocurrency exchanges have to deal with every day: straddling the line between providing enough liquidity for traders and keeping funds safe.
ByBit chief executive, Ben Zhou commented to CoinTelegraph that there are benefits and drawbacks to both systems: cold wallet systems are more secure since hot wallets are connected to the internet, which makes them more vulnerable to hacking. On the other hand, deploying a cold wallet system does not allow users to make large withdrawals from an exchange immediately, which could be a problem for institutional traders.
Therefore, there may not be any right answer when it comes to how cryptocurrency exchanges should design their custody systems. One thing is for sure, though, any system needs to be built with intention and tested heavily.
“This can be accomplished by applying best practices for application lifecycle management, hiring knowledgeable and reputable security consultants for penetration testing and running bounty programs within the white hat community to identify any potential vulnerabilities,” ByBit’s Ben Zhou commented.
While Centralized Exchanges Have Their Flaws, DEXs Are Not Really Ready for the Mainstream
While centralized cryptocurrency exchanges remain vulnerable, it is not clear if their alternative, decentralized exchanges (DEXs), are a viable alternative at this point.
The Kucoin hack feels like a tipping point.
The crypto markets shrugged off a $150mm loss like “well that was dumb but we should have been trading on decentralized exchanges this year anyway.”
+ blockchain bridges
+ oracle, wallet infra
+ privacy solutions
— Ryan Selkis (@twobitidiot)
Still, trading volume on decentralized exchanges is increasing. Citing data from blockchain analytics firm Dune, Brave New Coin reported in August that “trading volume on decentralized crypto exchanges (DEXs) has surged in the last year — and is up over 1500% since January 1st.”
Over the long term, as hacks continue to take place on centralized exchanges, interest in DEXs is expected to continue to grow. As DEXs become more popular (and more reliable) over time, we could eventually see DEXs turn into formidable competitors for their centralized counterparts.
The pain of hacks on centralized exchanges, & even if just FUD, will lead people to consider moving more funds on-chain.
As a result, will continue to grow as DEXs like become easier to adopt with & other emerging DEX assistants.
— AstroTools.io (@Astro_Tools)
However, until then, centralized exchanges – warts and all – will continue to be the norm.
Finance Magnates reached out to KuCoin for commentary on this story. KuCoin was not immediately available for comment. Comments will be added as they are received.